Stonefly

Threat Actor updated a month ago (2024-10-17T13:01:59.782Z)

Download STIX

Preview STIX

Stonefly, also known as Andariel, Silent Chollima, Onyx Sleet, and APT45, is a threat actor group that has been active since at least 2015 and is believed to be linked to the North Korean government. The group has been involved in various attacks, including ransomware campaigns against Healthcare and Public Health (HPH) sector organizations in the US since May 2021. Notably, Stonefly used the Maui ransomware in these attacks to fund their activities. Furthermore, Stonefly intensified its financial attacks on U.S. companies, exploiting vulnerabilities like Log4j and deploying malware families such as DTRack and MagicRat. The group's activities escalated in the middle of last year when it actively exploited the Log4j vulnerability. Despite an indictment from the U.S. Department of Justice, Stonefly continued its financially motivated cyberattacks against U.S. organizations. The group specializes in targeting organizations holding classified or sensitive information, and in several instances, deployed its custom malware Backdoor.Preft (aka Dtrack, Valefor). In August, Stonefly launched assaults on three organizations in the U.S., even though the ransomware was never deployed, the group managed to infiltrate with multiple tools from its kit before being thwarted. Stonefly has previously targeted hospitals and other healthcare providers during the pandemic, drawing the attention of the Department of Justice. It is also known for targeting high-value espionage targets like U.S. Air Force bases, NASA Office of Inspector General, and government organizations in China, South Korea, and Taiwan. In July 2024, a member of Stonefly was indicted by U.S. authorities for his role in extorting hospitals and other institutions. Despite this, Stonefly continues its operations, flaunting the indictment and a $10 million bounty from the U.S. Department of Justice, indicating a sustained attempt to mount extortion attacks against organizations in the U.S.

Description last updated: 2024-10-17T12:33:58.642Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Andariel is a possible alias for Stonefly. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	4
Silent Chollima is a possible alias for Stonefly. Silent Chollima, also known as Stonefly or APT45, is a threat actor with links to North Korea's foreign intelligence agency, the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau. The group has been active since at least 2015, when it began shifting its objectives. Silent Chol	4
Apt45 is a possible alias for Stonefly. APT45, also known as Andariel, Onyx Sleet, and Silent Chollima, is a North Korean threat actor associated with the Reconnaissance General Bureau, a military intelligence agency. This group has been operational since at least 2009, making it one of North Korea's longest-running cyber operators. Their	2
Dtrack is a possible alias for Stonefly. DTrack is a malicious software (malware) known for its data theft capabilities. It was first associated with North Korean threat groups and has been used in numerous cyber attacks globally. The malware infiltrates systems through suspicious downloads, emails, or websites, and once inside, it collect	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Ransomware

Malware

State Sponso...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Stonefly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 months ago	Breach Roundup: AI 'Nudify' Sites Serve Malware
DARKReading	2 months ago	North Korea Profits as 'Stonefly' APT Swarms US Co's.
InfoSecurity-magazine	2 months ago	Stonefly Group Targets US Firms With New Malware Tools
DARKReading	4 months ago	Feds Warn of North Korean Cyberattacks on US Critical Infrastructure
Securityaffairs	a year ago	Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU	a year ago	North Korean Hacker Group Andariel Strikes with New EarlyRat Malware – GIXtools
CERT-EU	a year ago	Complete Ransomware Protection Suite for Veeam, Commvault, Rubrik, and Veritas -September 22, 2023 at 01:31 pm EDT \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Hackers use public ManageEngine exploit to breach internet org
Securityaffairs	a year ago	North Korean Andariel APT used a new malware named EarlyRat
CERT-EU	a year ago	North Korea-linked Andariel APT used a new malware named EarlyRat last year \| IT Security News
CERT-EU	a year ago	Log4j bug exploited to push novel EarlyRat malware
CERT-EU	a year ago	North Korean Hacker Group Andariel Strikes with New EarlyRat Malware
Malwarebytes	2 years ago	CISA issues alert with South Korean government about DPRK's ransomware antics
CERT-EU	a year ago	Attacks by Lazarus sub-group involve novel EarlyRAT malware